Encryption software is not something to be trusted; it's use is to be regarded as a necessary evil, likely to fail without warning, and prone to catastrophic failures in two modes; that of being completely ineffective and that of being all too effective. People are not good at Key Management, and if you ever think that you have learned how to be good at Key Management, that is the day that you will screw it up royally.
1. Generate private keys on a host that is fully disconnected from the network using an OS image dedicated to that purpose.
2. Make backups, on paper, keep them in separate locations, take reasonable precautions to make sure that root keys are recoverable. Be aware of how this compromises your security, and what tripwires and alarms you need to have in place to deal with those vulnerabilities.
3. Do create intermediate signing keys, you shouldn't need to open the vault to create an email alias or process a new hire.
4. Do re-key on a schedule. Do not generate fresh keys ahead of time.
5. You are not MI-6 or the NSA, you will screw it up. Have a plan for when that happens.
Use full-disk encryption (TrueCrypt for Windows, LUKS for Linux, softraid crypto for OpenBSD, etc.) File-based encryption is too hard to get wrong - are you sure that your editor didn't write an unencrypted copy to disk and deleted it immediately after?